USA, South Carolina. More than 200,000 South Caroline residents have become victims of the actions of an insider.
An employee of Medicaid – the state health care program for those in need – sent patients' personal data to his personal email account. He managed to get hold of data belonging to a quarter of all Medicaid clients in South Carolina, about 228,000 original records including personal data. Of these, no less than 22,000 contained an identification number linked to their Social Security number, the holy grail for fraudsters.
An internal investigation has shown that the accused gathered the information over a period of time. Since the end of January, he sent 17 emails with spreadsheets containing personal data. We note that by virtue of his official position, the insider had authorized access to personal data belonging to residents of the state.
Medicaid has already warned its patients of the comprehensive theft of their data, and has also promised to offer free access to bank transaction monitoring services. The man has been arrested and is awaiting trial. If he is found guilty, he will spend the next ten years in custody.
Those in charge of South Carolina's Medicaid program have estimated the damage resulting from this information leak to be at least USD 1.5 million. They plan to spend USD 1 million on the elimination of threats resulting from the incident, and USD 500,000 on introducing additional measures to protect information. It is possible that the organization will also have to pay a fine for the unauthorized disclosure of personal data, which could amount to another USD 1.5 million.
InfoWatch's Nikolay Fedotov offered the following comments: «This kind of data is used in the US for health care fraud. Clinics present the Social Security Administration with a bill for treatments which they have allegedly carried out, and so receive money which they have not earned. There have also been cases of virtual organizations, entirely fake medical institutions, who have bought up personal data belonging to patients and doctors, and then claimed that the former had been treated by the latter.
The Social Security Administration rarely checks that treatments have actually been carried out. They are usually content just to verify the personal data. But the verification is careless: there have been cases where one patient has allegedly been lying in hospital in two different states at the same time, but bureaucrats did not unveil this remarkable coincidence».
